Help needed: failure to set posix ACL in s3fs

Andrew Bartlett abartlet at samba.org
Tue May 8 20:30:00 MDT 2012 

On Wed, 2012-05-09 at 08:00 +1000, Andrew Bartlett wrote:
> Using my master-devel branch, I've been testing creating a new group
> policy object (from Windows 7 RSAT)
> 
> Attached is the log I get at level 10, with the failure to set the
> default directory ACL (after successfully setting the file ACL, with
> what appears to be the same values).
> 
> If someone who understands this code better than I could have a look, I
> would most appreciate it, as this is the primary blocker before we can
> think about enabling s3fs.
> 

I've been looking at this carefully, the the key is that the
SMB_ACL_GROUP entry for S-1-5-21-4177067393-1453636373-93818737-512 gid
3000007 (3000007) is duplicated in the directory case.

This is because of an interaction with:

commit a5038ace24559bb02eec8262d3af5b5e78634d16
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Sep 2 11:58:56 2011 -0700

    Part 2 of bugfix for bug #7509 - smb_acl_to_posix: ACL is invalid
for set (Invalid argument)
    
    Only map CREATOR_OWNER/CREATOR_GROUP to ACL_USER_OBJ/ACL_GROUP_OBJ
in
    a default(directory) ACL set.

When used with the IDMAP_BOTH supporting code, I need to (effectively)
revert the above, otherwise I cannot force an object to be ACL_GROUP_OBJ
(instead, it becomes ACL_GROUP, and becomes duplicated). 

I would very much appreciate some assistance with this, as this code is
not only security-critical, it is also incredibly complex.
Additionally, as the patch in question works without my changes (but
gives a wrong posix ACL), and was added only recently for a bug, I
assume reverting it isn't the correct answer.

The issue is that when we then fill in the ACL_GROUP_OBJ, we get this:

> /data/samba-2/bin/smbd: print_canon_ace_list: dir ace - before valid
> /data/samba-2/bin/smbd: canon_ace index 0. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
> /data/samba-2/bin/smbd: canon_ace index 1. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-519 gid 3000005 (3000005) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
> /data/samba-2/bin/smbd: canon_ace index 2. Type = allow SID = S-1-3-0 uid 3000007 (3000007) SMB_ACL_USER_OBJ ace_flags = 0xb perms rwx
> /data/samba-2/bin/smbd: canon_ace index 3. Type = allow SID = S-1-5-18 gid 3000066 (3000066) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
> /data/samba-2/bin/smbd: canon_ace index 4. Type = allow SID = S-1-5-11 gid 3000002 (3000002) SMB_ACL_GROUP ace_flags = 0x3 perms r-x
> /data/samba-2/bin/smbd: canon_ace index 5. Type = allow SID = S-1-5-9 gid 3000067 (3000067) SMB_ACL_GROUP ace_flags = 0x3 perms r-x

turned into:

> /data/samba-2/bin/smbd: print_canon_ace_list: dir ace - return
> /data/samba-2/bin/smbd: canon_ace index 0. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x0 perms ---
> /data/samba-2/bin/smbd: canon_ace index 1. Type = allow SID = S-1-3-0 uid 3000007 (3000007) SMB_ACL_USER ace_flags = 0x0 perms rwx
> /data/samba-2/bin/smbd: canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
> /data/samba-2/bin/smbd: canon_ace index 3. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
> /data/samba-2/bin/smbd: canon_ace index 4. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
> /data/samba-2/bin/smbd: canon_ace index 5. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-519 gid 3000005 (3000005) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
> /data/samba-2/bin/smbd: canon_ace index 6. Type = allow SID = S-1-3-0 uid 3000007 (3000007) SMB_ACL_USER_OBJ ace_flags = 0xb perms rwx
> /data/samba-2/bin/smbd: canon_ace index 7. Type = allow SID = S-1-5-18 gid 3000066 (3000066) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
> /data/samba-2/bin/smbd: canon_ace index 8. Type = allow SID = S-1-5-11 gid 3000002 (3000002) SMB_ACL_GROUP ace_flags = 0x3 perms r-x
> /data/samba-2/bin/smbd: canon_ace index 9. Type = allow SID = S-1-5-9 gid 3000067 (3000067) SMB_ACL_GROUP ace_flags = 0x3 perms r-x

when ends up giving this (with duplicate group:3000007 entries):

> /data/samba-2/bin/smbd: Calling acl_set_file: s4.obed.abartlet.net/Policies/{7D8C9D69-93CB-40AB-900E-F2AF57170730}, 1
> 
> /data/samba-2/bin/smbd: smb_acl_to_posix: ACL group:3000007:---
> /data/samba-2/bin/smbd: user:3000007:rwx
> /data/samba-2/bin/smbd: other::---
> /data/samba-2/bin/smbd: group::---
> /data/samba-2/bin/smbd: group:3000007:rwx
> /data/samba-2/bin/smbd: group:3000005:rwx
> /data/samba-2/bin/smbd: user::rwx
> /data/samba-2/bin/smbd: group:3000066:rwx
> /data/samba-2/bin/smbd: group:3000002:r-x
> /data/samba-2/bin/smbd: group:3000067:r-x
> /data/samba-2/bin/smbd: mask::rwx
> /data/samba-2/bin/smbd:  is invalid for set (Invalid argument)
> /data/samba-2/bin/smbd: set_canon_ace_list: sys_acl_set_file type directory default failed for file s4.obed.abartlet.net/Policies/{7D8C9D69-93CB-40AB-900E-F2AF57170730} (Invalid argument).
> /data/samba-2/bin/smbd: pop_sec_ctx (0, 100) - sec_ctx_stack_ndx = 0
> /data/samba-2/bin/smbd: set_nt_acl: failed to set default acl on directory s4.obed.abartlet.net/Policies/{7D8C9D69-93CB-40AB-900E-F2AF57170730} (Invalid argument).
> /data/samba-2/bin/smbd: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_setinfo.c:127
> /data/samba-2/bin/smbd: smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2180

The almost-identical file ACL is not impacted by the change I identified
above, so so works perfectly.

This also seems to trigger some very complex code that tries to make a
user token for the group (domain admins, 3000007) to see if it is a
member of the other groups. 

Finally, when we get all this sorted, we need to work out what to do
with a 'group' that is Creator Owner.  Currently we only map a uid
permission for that group.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list